Automation with business rules

You can use a business rule to automate tasks on SeviceNow. A business rule is a server-side script that runs when a record is displayed, inserted, updated, or deleted, or when a table is queried.

You can create a business rule to monitor FortiAnalyzer incidents and events imported or updated on the FortiAnalyzer Integration App.

To create a business rule:

1. In ServiceNow go to System Definition > Business Rules or type Business Rules in the application explorer.
2. In the Business Rules page, click New.

Example business rule:

The following example uses a business rule to create a customized security incident when a Denial of Service incident is raised in FortiAnalyzer.

1. Configure the business rule settings.

   Property	Description
   Name	Enter a name for the business rule.
   Table	Select faz_incident_secops from the list.
   Application	This is the application that contains the business rule. The application is set to Global by default and cannot be changed.
   Active	This enables the business rule.
   Advanced	Select this option to see the advanced version of the form.

2. In the When to Run area, configure the business rule condition.

   When	Select After to run the business rule when the conditions are met.
   Update	Select this option to run the business rule when the incident is updated.
   Filter Conditions	Select Category from the choose field list. Set the operator to Is. Enter CAT2 in the Value field to run the business rule when FortiAnalyzer creates a Denial of Service(DoS) incident.
   Role Conditions	Select the roles users who are modifying records in the table must have for this business rule to run. ServiceNow roles

3. In the Advanced area, create a script that runs when the defined condition is true.

   Property	Description
   Conditions	Enter a conditional statement to specify when the business rule should run.
   Script	The following script demonstrates how to change the form fields when the condition is met: (function executeRule(current, previous /*null when async*/) { var incid = current.getValue('incid'); // Check whether it exists or not var egr = new GlideRecord('sn_si_incident'); egr.addQuery('short_description=' + incid); egr.query(); if (egr.next()) { return; } // Current data var severity = current.getValue('severity'); var description = current.getValue('description'); var sn_impact = 3; // low var sn_priority = 4; // low var sn_Severity = 3; // low if (severity == "high") { sn_impact = 1; sn_priority = 2; sn_Severity = 1; } else if (severity == "medium") { sn_impact = 2; sn_priority = 3; sn_Severity =2; } // Security Incident var gr = new GlideRecord('sn_si_incident'); gr.initialize(); gr.state = 1; // Analysis gr.substate = 3; // Pending incident gr.category = "Denial of Service"; gr.subcategory = 12; // Inbound or outbound gr.severity = sn_Severity; gr.impact = sn_impact; gr.priority = sn_priority; gr.short_description = incid ; gr.description = 'copy description from faz: ' + description; gr.insert(); ])(curent,previous);

4. Click Submit.